{{Header}}
{{#seo:
|description=Comparison of anonymizers considered for the implementation of the Anonymous Operating System {{project_name_long}}.
}}
{{intro|
Comparison of anonymizers considered for the implementation of the Anonymous Operating System {{project_name_short}}.
}}
== Introduction ==
This page describes, why Tor was chosen for the ''{{project_name_short}} Example Implementation'' as anonymity network and also discussed alternatives, which also have been considered.
== Tor ==
Tor has been chosen for the ''{{project_name_short}} Example Implementation'', because it is the best researched and most used network. {{project_name_short}} developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See [https://www.freehaven.net/anonbib/ anonbib] for a collection about research papers about Tor and other anonymity networks.
Many users are important, because you can only be anonymous within a big group of people. More secure networks exist in theory, such as the mixminion high latency network, but without enough users, in practice they are less secure. See [https://www.mail-archive.com/liberationtech@lists.stanford.edu/msg00022.html Roger Dingledine explanation] for details.
On the [https://www.whonix.org/wiki/Warning Warning] page are some shortcomings of Tor listed.
== {{project_name_short}} and other Anonymity Networks ==
The ''{{project_name_short}} Framework'' is agnostic about the Anonymity Network being used. In theory also Tor could be completely exchanged with any other suited anonymizing network, see [[Dev/Technical_Introduction#{{project_name_short}}_Framework|Technical Introduction {{project_name_short}} Framework]]. Development in this area stalled due to lack of interest from users, upstream developers and {{project_name_short}} developers. Anyway, there has been some research, theoretical and practical work done towards such integration, see [[Dev/Inspiration|Inspiration]] in case you are interested.
== Security considerations ==
Any successful attacks against Tor, does also work against {{project_name_short}} and will result in a compromise of location/identity. 1
{{project_name_short}} does not try to defend against network attacks, like a massive amount of evil Tor nodes, end-to-end correlation attacks and so on. The Tor software package from the Debian repository is installed in {{project_name_short}}. There are no modifications to Tor software. This is left to the Tor developers and Debian packagers.
If TransPort, DnsPort or SocksPort, which {{project_name_short}} heavily relies on, can be exploited, then it is also game over.
There is no known bug (or "feature") to obtain the users real IP address through either SocksPort, TransPort or DnsPort. If there were such a bug found in the future, which is possible, it would be a major bug in Tor. We would hope, that the Tor developers fix that bug.
There are other attacks conceivable, which we can not defend against. For example, if an adversary controls your entry node or can observe your ISP and has access to the {{project_name_workstation_long}}. He can simply use "morse" (5 seconds much traffic, 10 seconds no traffic...) And then observe the user's incoming connections. Then it is game over as well.
1 Unless Tor is combined with other means of anonymization (available as optional feature).
== Other Anonymity Networks reviewed for {{project_name_short}} ==
=== High latency networks ===
In theory, high latency networks would be safer than Tor. Unfortunately there is no high latency network, with enough users, which is well designed, developed and maintained.
=== AdvOR ===
Not suited for {{project_name_short}} at all.
[https://sourceforge.net/projects/advtor/ AdvOR],
the "Advanced" Onion Router is not suited for {{project_name_short}}. Reasons:
* No interest from the research community.
* No source control, i.e. git.
* Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
* Absence in the Tor community.
* No Linux support.
* {{project_name_short}} developer believes the Tails developers and the Tor developers to be modest and genuine. Doing their best on providing fine software. They generally work thoroughly, come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it is best not to summarize the their writings. Please read it yourself, in case you're interested.
** [https://web.archive.org/web/20130625055229/https://tails.boum.org/forum/Facebook_doesn__39__t_block_a_profile_if_logged_into_thru_AdvOR/ Answer from a Tails developer about AdvOR].
** The [https://archives.seul.org/or/talk/Oct-2010/msg00026.html Nick Mathewson's (Tor's Chief Architect) analysis] and recommends against.
* In Patrick's opinion: less safe than Tor.
=== I2P ===
==== Review ====
It may not be possible to reliably replace the Tor network with the [https://geti2p.net/en/ I2P network] for {{project_name_gateway_long}}. The I2P network is mainly designed to host all services inside the I2P network. We have to update the {{project_name_workstation_short}} operating system and software packages. That is not possible with I2P. Outproxies exist in past (http, https and socks), but too few of them? And they are not suited for use with {{project_name_short}}. They are too unreliable (too often offline). At time of writing the I2P chapter (March 2012) there where no working https or socks outproxies, which we could use for apt. (Still the case as of today?)
I2P can only be used as an addition to {{project_name_short}} (tunnel ip2 over Tor). See [[I2P]].
Even if there where enough reliable outproxies, there is one question which would have to be answered. Is I2P designed for withholding the external IP from a Workstation, i.e. does the I2P webinterface spill the external IP and if yes, can it be configured, not to? → We could make I2P listen on {{project_name_gateway_short}} local host only. And only have other services, such as the outproxy, listen on the internal interface that is accessible by {{project_name_workstation_short}}(s).
There was [https://www.whonix.org/wiki/Dev/Inspiration#I2P development idea] to install Tor and optionally I2P on {{project_name_gateway_short}}, but stalled due to lack from {{project_name_short}} developers and I2P community.
That I2P is not in Debian package sources would also make integration harder.
* [https://i2pgit.org/i2p-hackers/i2p.www/-/issues/5 I2P users can be deanonymized using browser fingerprinting].
* [https://web.archive.org/web/20210418224735/https://lists.randombit.net/pipermail/cryptography/2013-June/004580.html About I2P insecurity].
==== Summary ====
Not suited for {{project_name_short}} for the Default-Download-Version.
* No out proxies at the moment. (Can not connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, APT wouldn't work, etc. Still up to date as of today?
* Less interest from the research community.
* No interest from the I2P community.
* In Patrick's opinion: less safe than Tor.
=== VPN ===
Not suited for {{project_name_short}} for the Default-Download-Version. For details, see [[Whonix versus VPNs]].
=== Freenet ===
Not suited for {{project_name_short}} for the Default-Download-Version.
Replacing Tor with Freenet is impossible, as Freenet is a separated network, not designed to exit the network, i.e. clearnet websites could not be reached, APT wouldn't work, etc.
There was a [https://www.whonix.org/wiki/Dev/Inspiration#Freenet development idea] to install Tor and optionally Freenet on {{project_name_gateway_short}}. It would pose the questions. Is Freenet designed for withholding the external IP from a Workstation, i.e. does the Freenet webinterface spill the external IP and if yes, can it be configured, not to?
=== RetroShare ===
Not suited for {{project_name_short}} for the Default-Download-Version.
In fact [https://retroshare.cc/index.html RetroShare] is not an [https://en.wikipedia.org/wiki/Anonymous_proxy anonymizing network], it is a [https://en.wikipedia.org/wiki/Friend-to-friend friend-to-friend] (F2F) network, or optionally a [https://en.wikipedia.org/wiki/Dark_web darknet]. RetroShare has a very different audience and threat model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the {{project_name_gateway_short}}.
=== Proxies / Proxy Chains ===
This is a summary of [[Tor vs Proxy]].
"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for {{project_name_short}} for the Default-Download-Version.
* Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy possible (only end-to-end encryption possible); no onion routing alright (changing circuits).
* Difficult (impossible?) to find a free, stable proxy, which is supposed to be legally used as proxy and which could handle enough Default-Download-Version users.
* In Patrick's opinion: less safe than Tor.
=== Combinations of Anonymity Networks ===
Not suited for {{project_name_short}} for the Default-Download-Version.
There is too much controversy, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN Tor Plus VPN or Proxy].
Controversy is avoided as a political project strategy with the goal to protect the project:
Quoted from the [FAQ]: ''"{{project_name_short}} tries to be as less special as possible to ease security auditing of {{project_name_short}}. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in {{project_name_short}} would limit discussions about {{project_name_short}} to the security of the modified routing algorithm. To allow further exploration of {{project_name_short}} security, it is required to be as agnostic as possible about all parts of {{project_name_short}}."''
The user is able to tunnel Other Anonymizing Networks over Tor (see [[Other_Anonymizing_Networks|Other Anonymizing Networks]] in case you're interested).
== Tunneling other Other Anonymizing Networks over Tor ==
It is possible with {{project_name_short}}. ([[Other_Anonymizing_Networks|Other Anonymizing Networks]]).
{{Footer}}
[[Category:Design]]